HIPAA S3 Control Mapping
This reference maps HIPAA Security Rule sections (45 CFR §§ 164.3xx) to Stave S3 controls, the AWS CLI command that produces the evidence, and the pass/fail observation shapes each control evaluates.
See also: HIPAA per-control CLI evidence for the control-by-control CLI output schemas, and the HIPAA Compliance how-to for running the HIPAA pack.
S3 HIPAA pack control spec
| Control ID | HIPAA section | What to check in AWS | AWS CLI evidence | Pass condition | Fail condition | Bucket-only? |
|---|---|---|---|---|---|---|
| HIPAA.ENCRYPT.001 | 45 CFR § 164.312(a)(2)(iv) | Default bucket encryption is enabled | aws s3api get-bucket-encryption --bucket <bucket> | ServerSideEncryptionConfiguration.Rules exists | encryption config missing | Yes |
| HIPAA.ENCRYPT.002 | 45 CFR § 164.312(a)(2)(iv) | Prefer SSE-KMS for stronger key control | aws s3api get-bucket-encryption --bucket <bucket> | SSEAlgorithm = aws:kms | SSEAlgorithm != aws:kms | Yes |
| HIPAA.PUBLIC.001 | 45 CFR § 164.312(a)(1) | Bucket public access block is fully enabled | aws s3api get-public-access-block --bucket <bucket> | all four flags are true | any flag is false | Yes, but account-level settings also matter |
| HIPAA.TRANSPORT.001 | 45 CFR § 164.312(e)(1) | Bucket policy denies non-TLS requests | aws s3api get-bucket-policy --bucket <bucket> | policy has Deny with aws:SecureTransport = false | no matching deny statement | Yes |
| HIPAA.AUDIT.001 | 45 CFR § 164.312(b) | Server access logging is enabled | aws s3api get-bucket-logging --bucket <bucket> | LoggingEnabled.TargetBucket exists | LoggingEnabled absent | Yes |
| HIPAA.AUDIT.002 | 45 CFR § 164.312(b) | CloudTrail object-level data events are enabled | aws cloudtrail get-event-selectors --trail-name <trail> | selector includes AWS::S3::Object for target bucket or all buckets | no S3 object data selector | No |
| HIPAA.INTEGRITY.001 | 45 CFR § 164.312(c)(1) | Bucket versioning is enabled | aws s3api get-bucket-versioning --bucket <bucket> | Status = Enabled | Status absent or Suspended | Yes |
| HIPAA.INTEGRITY.002 | 45 CFR § 164.312(c)(1) | Object Lock is enabled | aws s3api get-object-lock-configuration --bucket <bucket> | ObjectLockEnabled = Enabled | object lock config absent or disabled | Yes |
| HIPAA.ACCESS.001 | 45 CFR § 164.312(a)(1) | No public bucket policy or ACL path to data | bucket policy + public access block + ACL evidence | no public read/list/write path | any public path exists | Partly |
| HIPAA.ACCESS.002 | 45 CFR § 164.312(a)(1), § 164.502(b) | Least privilege and minimum necessary scope | IAM role policies, bucket policy scope, prefixes | access limited to exact principals and prefixes needed | broad bucket or object access beyond need | No |
| HIPAA.REVIEW.001 | 45 CFR § 164.308(a)(1)(ii)(D) | Logs are regularly reviewed | process evidence, alerts, review workflow | documented and operating review process | logs exist but no review evidence | No |
| HIPAA.MALWARE.001 | 45 CFR § 164.308(a)(5)(ii)(B) | Uploaded files are scanned for malware | GuardDuty/Lambda/AV pipeline evidence | scanning pipeline exists and is active | no malware-scanning evidence | No |
| HIPAA.BREACHSUPPORT.001 | 45 CFR §§ 164.400–414 | Misconfigurations and suspicious access can be detected | GuardDuty, Config, CloudTrail, access logs | evidence exists for incident investigation | no detection/investigation evidence | No |
| HIPAA.REPLICATION.001 | 45 CFR § 164.308(a)(7) | Compliance-tagged buckets have replication enabled | aws s3api get-bucket-replication --bucket <bucket> | ReplicationConfiguration.Rules exists and is Enabled | replication config absent or disabled | Yes |
| HIPAA.REPLICATION.002 | 45 CFR § 164.308(a)(7)(ii)(A) | PHI bucket replication is cross-region | aws s3api get-bucket-replication --bucket <bucket> | destination bucket ARN is in a different region than source | destination in same region as source | Yes |
| HIPAA.REPLICATION.003 | 45 CFR § 164.312(a)(2)(iv) | Replication destination bucket is encrypted | destination bucket encryption config | destination has SSE-S3 or SSE-KMS default encryption | destination encryption absent | No |
| HIPAA.MACIE.001 | 45 CFR § 164.312(b) | Macie enabled for sensitive data buckets | aws macie2 get-bucket-statistics | Macie classification job active for bucket | Macie not enabled or no active job | Yes |
| HIPAA.MACIE.002 | 45 CFR § 164.308(a)(1)(ii)(D) | Macie automated discovery is running | aws macie2 get-automated-discovery-configuration | status = ENABLED | automated discovery disabled | No |
| HIPAA.OWNERSHIP.001 | 45 CFR § 164.312(a)(1) | Object Ownership is BucketOwnerEnforced | aws s3api get-bucket-ownership-controls --bucket <bucket> | OwnershipControls.Rules[0].ObjectOwnership = BucketOwnerEnforced | ObjectOwnership is not BucketOwnerEnforced | Yes |
| HIPAA.OBJECTACL.001 | 45 CFR § 164.312(a)(1) | No objects individually public via ACL | bucket public access status + object ACL audit | no objects with public ACL grants | objects can be public via ACL | Partly |
| HIPAA.ACCOUNTPAB.001 | 45 CFR § 164.312(a)(1) | Account-level Block Public Access is enabled | aws s3control get-public-access-block --account-id <id> | all four account-level PAB flags are true | any account-level flag is false | No |
| HIPAA.INVENTORY.001 | 45 CFR § 164.312(b) | S3 Inventory enabled for bucket content visibility | aws s3api list-bucket-inventory-configurations --bucket <b> | at least one inventory configuration exists | no inventory configuration | Yes |
| HIPAA.MFA.HWKEY.001 | 45 CFR § 164.312(d) | Privileged accounts use hardware MFA | aws iam list-mfa-devices + device type check | admin users have hardware MFA device | admin user has virtual/SMS MFA | No |
| HIPAA.INACTIVE.001 | 45 CFR § 164.312(a)(2)(i) | IAM accounts inactive 90+ days are flagged | aws iam generate-credential-report + last activity check | no accounts inactive > 90 days | accounts inactive > 90 days exist | No |
| HIPAA.ACCESS.PHI.001 | 45 CFR § 164.502(b) | PHI bucket access scoped to specific principals | bucket policy + IAM role policies + prefix scoping | access limited to exact principals and prefixes needed | broad access beyond minimum necessary | No |
| HIPAA.MALWARE.001 | 45 CFR § 164.308(a)(5)(ii)(B) | PHI bucket has malware scanning enabled | aws guardduty get-detector + S3 protection status | GuardDuty S3 malware protection or Lambda AV active | no malware scanning configured | Partly |
| HIPAA.BREACHSUPPORT.001 | 45 CFR §§ 164.400–414 | PHI bucket has all detection infrastructure active | access logs + CloudTrail + GuardDuty + Config evidence | all four detection components present | any component missing | No |
CLI output and pass/fail JSON
HIPAA.ENCRYPT.001 / HIPAA.ENCRYPT.002
Source: AWS GetBucketEncryption says S3 returns the default encryption configuration, and by default buckets have SSE-S3 unless configured otherwise. (AWS Documentation)
CLI:
aws s3api get-bucket-encryption --bucket <bucket>
Representative output:
{
"ServerSideEncryptionConfiguration": {
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": "arn:aws:kms:us-east-1:123456789012:key/11111111-2222-3333-4444-555555555555"
},
"BucketKeyEnabled": true
}
]
}
}
Pass:
{
"encryption": {
"enabled": true,
"mode": "aws:kms",
"kms_key_id": "arn:aws:kms:us-east-1:123456789012:key/11111111-2222-3333-4444-555555555555",
"bucket_key_enabled": true
}
}
Fail:
{
"encryption": {
"enabled": false,
"mode": null,
"kms_key_id": null,
"bucket_key_enabled": false,
"reason": "No compliant default bucket encryption configuration found"
}
}
HIPAA.PUBLIC.001
Source: AWS GetPublicAccessBlock returns the bucket-level public access block config only, and AWS says effective behavior also depends on account-level settings. (AWS Documentation)
CLI:
aws s3api get-public-access-block --bucket <bucket>
Representative output:
{
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"IgnorePublicAcls": true,
"BlockPublicPolicy": true,
"RestrictPublicBuckets": true
}
}
Pass:
{
"public_access": {
"block_public_acls": true,
"ignore_public_acls": true,
"block_public_policy": true,
"restrict_public_buckets": true,
"compliant": true
}
}
Fail:
{
"public_access": {
"block_public_acls": true,
"ignore_public_acls": false,
"block_public_policy": true,
"restrict_public_buckets": false,
"compliant": false,
"reason": "One or more PublicAccessBlock settings are not enabled"
}
}
HIPAA.TRANSPORT.001
HIPAA transmission security requires protection against unauthorized access during transmission. (eCFR) AWS supports this with bucket policy conditions, including TLS-related conditions. (AWS Documentation)
CLI:
aws s3api get-bucket-policy --bucket <bucket>
Representative output:
{
"Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Principal\":\"*\",\"Action\":\"s3:*\",\"Resource\":[\"arn:aws:s3:::example-bucket\",\"arn:aws:s3:::example-bucket/*\"],\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}}}]}"
}
Pass:
{
"transport_security": {
"bucket_policy_present": true,
"https_only_enforced": true,
"matching_statement": {
"effect": "Deny",
"condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
}
}
Fail:
{
"transport_security": {
"bucket_policy_present": true,
"https_only_enforced": false,
"reason": "Bucket policy does not deny requests where aws:SecureTransport is false"
}
}
HIPAA.AUDIT.001
HIPAA audit controls require mechanisms that record and examine activity. (eCFR) AWS get-bucket-logging returns server access logging status. (AWS Documentation)
CLI:
aws s3api get-bucket-logging --bucket <bucket>
Representative output:
{
"LoggingEnabled": {
"TargetPrefix": "",
"TargetBucket": "example-bucket-logs"
}
}
Pass:
{
"logging": {
"server_access_logging": {
"enabled": true,
"target_bucket": "example-bucket-logs",
"target_prefix": ""
}
}
}
Fail:
{
"logging": {
"server_access_logging": {
"enabled": false
},
"reason": "Server access logging is not enabled"
}
}
HIPAA.AUDIT.002
CloudTrail supports S3 object data events, and get-event-selectors exposes whether those selectors are configured. (AWS Documentation)
CLI:
aws cloudtrail get-event-selectors --trail-name <trail>
Representative output:
{
"EventSelectors": [
{
"IncludeManagementEvents": true,
"DataResources": [
{
"Type": "AWS::S3::Object",
"Values": [
"arn:aws:s3:::example-bucket/"
]
}
],
"ReadWriteType": "All"
}
],
"TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/org-trail"
}
Pass:
{
"logging": {
"object_level_logging": {
"enabled": true,
"source": "cloudtrail",
"trail_arn": "arn:aws:cloudtrail:us-east-1:123456789012:trail/org-trail",
"selectors": [
{
"read_write_type": "All",
"data_resources": [
{
"type": "AWS::S3::Object",
"values": [
"arn:aws:s3:::example-bucket/"
]
}
]
}
]
}
}
}
Fail:
{
"logging": {
"object_level_logging": {
"enabled": false,
"reason": "No CloudTrail data event selector for AWS::S3::Object"
}
}
}
HIPAA.INTEGRITY.001
HIPAA integrity requires protection against improper alteration or destruction. (eCFR) AWS says GetBucketVersioning returns the versioning state and MFA Delete status. (AWS Documentation)
CLI:
aws s3api get-bucket-versioning --bucket <bucket>
Representative output:
{
"Status": "Enabled",
"MFADelete": "Enabled"
}
Pass:
{
"integrity": {
"versioning": {
"enabled": true,
"mfa_delete": true
}
}
}
Fail:
{
"integrity": {
"versioning": {
"enabled": false,
"mfa_delete": false
},
"reason": "Bucket versioning is not enabled"
}
}
HIPAA.INTEGRITY.002
AWS says Object Lock uses a write-once-read-many model and prevents deletion or overwrite for a fixed time or indefinitely. It also requires versioning. (AWS Documentation)
CLI:
aws s3api get-object-lock-configuration --bucket <bucket>
Representative output:
{
"ObjectLockConfiguration": {
"ObjectLockEnabled": "Enabled",
"Rule": {
"DefaultRetention": {
"Mode": "COMPLIANCE",
"Days": 30
}
}
}
}
Pass:
{
"integrity": {
"object_lock": {
"enabled": true,
"mode": "COMPLIANCE",
"days": 30
}
}
}
Fail:
{
"integrity": {
"object_lock": {
"enabled": false
},
"reason": "Object lock is not configured"
}
}
Not fully provable from bucket-only data
These are valid HIPAA mappings, but bucket config alone cannot prove them:
| Control ID | Why not bucket-only |
|---|---|
| HIPAA.ACCESS.002 | Need IAM role policies, caller identity paths, prefix scoping, maybe KMS and VPC evidence |
| HIPAA.REVIEW.001 | HIPAA requires regular review procedures, not just log collection (eCFR) |
| HIPAA.MALWARE.001 | Need GuardDuty, Lambda, or another malware-scanning pipeline |
| HIPAA.BREACHSUPPORT.001 | Need incident detection and response evidence; breach notification is not just S3 config |
| HIPAA.ACCESS.001 | Partly bucket-testable, but full proof may require IAM, ACL, policy, account-level public access block |
Source links
- HIPAA technical safeguards: (eCFR)
- HIPAA activity review requirement: (eCFR)
- S3 GetBucketEncryption: (AWS Documentation)
- S3 GetPublicAccessBlock: (AWS Documentation)
- S3 bucket policy examples: (AWS Documentation)
- S3 server access logging: (AWS Documentation)
- CloudTrail S3 data events: (AWS Documentation)
- S3 GetBucketVersioning: (AWS Documentation)
- S3 Object Lock: (AWS Documentation)